Date: Thu, 2 Mar 2006 00:39:05 +0100 From: Maxime Henrion <mux@FreeBSD.org> To: Wesley Shields <wxs@csh.rit.edu> Cc: arch@freebsd.org, current@freebsd.org, Lowell Gilbert <freebsd-current-local@be-well.ilk.org>, Kris Kennaway <kris@obsecurity.org> Subject: Re: HEADS UP: Importing csup into base Message-ID: <20060301233905.GH55746@elvis.mu.org> In-Reply-To: <20060301233355.GA53937@csh.rit.edu> References: <20060301170306.GZ55746@elvis.mu.org> <4405F673.8060907@samsco.org> <44mzg9ucpm.fsf@be-well.ilk.org> <20060301211932.GA42815@csh.rit.edu> <20060301211708.GA30508@xor.obsecurity.org> <20060301233355.GA53937@csh.rit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Wesley Shields wrote: > On Wed, Mar 01, 2006 at 04:17:08PM -0500, Kris Kennaway wrote: > > On Wed, Mar 01, 2006 at 04:19:32PM -0500, Wesley Shields wrote: > > > On Wed, Mar 01, 2006 at 03:33:41PM -0500, Lowell Gilbert wrote: > > > > Scott Long <scottl@samsco.org> writes: > > > > > > > > > Maxime Henrion wrote: > > > > > > Hey all, > > > > > > I have released a new snapshot of csup a few minutes ago, > > > > > > > > > > [...] > > > > > > > > > > > - Executes (shell commands sent by the server, even more rarely > > > > > > used), > > > > > > > > > > Are you joking? > > > > > > > > Are you asking whether he's joking about (1) the idea of ever > > > > implementing it, (2) the fact that he hasn't done it yet, or > > > > (3) the idea that it's rarely used? All of those sound > > > > reasonable to me... > > > > > > I'm questioning (1) myself. This just seems like a bad idea from a > > > security perspective. Of course, some kind of sanitization could > > > mitigate the issue. > > > > Let's not lose sight of the fact that whoever runs the cvsup server > > already owns your machine, since they're giving you unauthenticated > > source code [1]. > > You are right on this point. But on the scale of potentially bad things > I think a rogue server sending commands that the client exectues is > pretty close to a rogue server sending malicious source code. At least > the source is easily verifiable and (in the case of the malicious source > being inserted at the master site) has a good chance of being noticed. > > It's not that I'm 100% against this idea, but rather that I'd like to > see the client be cautious of the possibility of a rogue server. Of > course, this could all be the plan and I'm just raising a non-issue. Just to make things straight, executes are always off by default, and need to be explicitely enabled by the user. This is how it has always been in CVSup, and there is no reason for csup to change that when it will support executes. That said, the mail I sent wasn't about whether I should implement executes or not. They are just part of the "missing features" list. Cheers, Maxime
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060301233905.GH55746>